Hi all! I have two rancher environments that I'm managing – one v2.5 fronting a single RKE cluster, one v2.6 with a single imported cluster, both standalone docker installs – and in both cases we have the agents talking back to the server through cloudflare proxied DNS across the public internet, despite living in the same VPC. The servers' certificate SANs do not currently include the raw IP addresses, if that's relevant, thought I would also be fine wholly disabling TLS verification or disabling TLS altogether if all this traffic becomes internal (if those are even viable options). IP whitelisting has gotten a bit cumbersome on both sides as we move from pets => cattle and the whole setup seems a bit silly. I definitely don't want to break our live environments, though.
Thoughts? Suggestions? I'd love to just have the agents talk to the private IP directly and have the node agents advertise their private IPs, dynamically resolved via the metadata service. The path for the latter seems pretty clear, though I don't know what risk exists of making that change in place. For agent => server comms I am not entirely clear what's necessary / possible or what risks exist.
Any help is much appreciated! Cheers.